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One PIA may be prepared to cover multiple websites or applications that are functionally 
comparable as long as agency or bureau practices are substantially similar across each website 
or application. However, any use of a third-party website or application that raises distinct 
privacy risks requires a complete PIA exclusive to the specific website or application. 
Department-wide PIAs must be elevated to the OCIO for review and approval. 


SECTION 1: Specific Purpose of the Agency’s Use of the Third-Party Website or 
Application 


1.1 What is the specific purpose of the agency’s use of the third-party website or 
application and how does that use fit with the agency’s broader mission? 


Foursquare is a U.S. owned web-based application that provides a free social 
networking service for mobile devices, which is used by millions of users world-wide. Its 
primary function for users is the logging or “checking in” of the user's location by using a 
mobile website, text messaging or application. Commercial and non-commercial 
enterprises manage location data and can use check-in-related codes for promotional 
purposes. Foursquare users can create personal profiles, connect with “friends,” 
exchange location data through notifications, share photos, post comments, earn virtual 
badges based on frequency of check-ins, and create locations for other users to use as 
check-in locations. User profiles may include name, city of residence, email address, 
telephone number, photos, tips about visited locations, history of check in locations, 
badges earned, social networking contact links, and a “friends” list. Foursquare users 
can communicate with the public via public tips, which are comments regarding a 
particular location. Users can set their own privacy settings and control who sees their 
information and what information is shared. 


The Department of the Interior established an official presence on Foursquare to 
disseminate information to the public, promote public participation and collaboration, and 
increase government transparency. DOI bureaus and offices use Foursquare to assist 
in promoting locations they manage, such as national parks. Foursquare permits 
owners or operators of locations to “claim” the location; the owner or operator is then 
permitted to post additional information about the location, provide special promotional 
opportunities related to the location, and view a dashboard of location statistics. The 
primary account holder is the Department of the Interior Office of Communications, 
which will be responsible for ensuring information posted on the Department's primary 
official Foursquare page is appropriate and approved for public dissemination. DOI 
bureaus and offices are responsible for ensuring information posted on their official 
Foursquare page is appropriate and approved for public dissemination in accordance 
with applicable laws, regulations, and DOI privacy, security and social media policies. 


1.2 Is the agency’s use of the third-party website or application consistent with all 
applicable laws, regulations, and policies? What are the legal authorities for the 
use of the third-party website or application? 


Presidential Memorandum on Transparency and Open Government, January 21, 2009; 
OMB M-10-06, Open Government Directive, December 8, 2009; OMB M-10-23, 
Guidance for Agency Use of Third-Party Websites and Applications, June 25, 2010; the 
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Paperwork Reduction Act, 44 U.S.C. 3501; the Clinger-Cohen Act of 1996, 40 USC 
1401; OMB Circular A-130; 210 Departmental Manual 18; 110 Departmental Manual 5. 


SECTION 2: Any PII that is Likely to Become Available to the Agency Through the Use of 
the Third-Party Website or Application 


2.1 


2:2 


2.3 


2.4 


What PII will be made available to the agency? 


If a user of Foursquare checks in at a DOI location or posts a tip regarding a DOI 
location, their name, contact information, location and time of check in, photo, or other 
PII may become available to DOI. The Department does not collect or share PII from 
the use of Foursquare, except in unusual circumstances where user interactions indicate 
evidence of criminal activity, a threat to the government, a threat to the public, or an 
employee violation of DOI policy. This information may include name, username, email 
address, photos, images, videos, audio, content of messages, blogs or postings, or other 
personal information provided by the user, and may be used to notify the appropriate 
agency officials or law enforcement organizations. 


What are the sources of the PII? 


Sources of information are Foursquare users world-wide, including members of the 
general public and Federal employees and may include other government agencies and 
private organizations. 


Will the PII be collected and maintained by the agency? 


DOI does not actively collect, maintain or disseminate PII from users of Foursquare. 
However, if a Foursquare user interacts with DOI on its official Foursquare page, checks 
in at a DOI location, posts a tip regarding a DOI location, or requests information from 
their use of Foursquare, their name, username, email address, location data, time of 
check in, photo, images, video, audio, content of messages, blogs or other information 
provided by the user may become available to DOI, and may be used to interact or 
provide the requested information or service. Also, there may be unusual cases where 
user interactions indicate evidence of criminal activity, a threat to the government, a 
threat to the public, or employee violation of DO! policy. This information may include 
name, username, email address, photos, images, videos, audio, content of messages, 
blogs or postings, or other personal information provided by the user, and may be used 
to notify the appropriate agency officials or law enforcement organizations. 


Any DOI bureau or office that uses Foursquare in a way that creates a system of records 
must complete a separate PIA for the specific use and collection of information, and 
must maintain the records in accordance with DOI-08, Social Networks system of 
records notice. DOI Privacy Act system of records notices may be viewed at 
http://www.doi.gov/ocio/privacy/DOI_notices.htm. 


Do the agency’s activities trigger the Paperwork Reduction Act (PRA) and, if so, 
how will the agency comply with the statute? 
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No, DOI is not using Foursquare to survey the public or in any manner that would trigger 
the requirements of the Paperwork Reduction Act. 


SECTION 3: The Agency’s Intended or Expected Use of the PII 


3.1 


3.2 


Generally, how will the agency use the PII described in Section 2.0? 


The Department of the Interior uses Foursquare to disseminate information to the public, 
enhance communication, promote public participation and collaboration, and increase 
government transparency. If a user of Foursquare interacts with DOI on its official 
Foursquare page, checks in at a DOI location, posts a tip regarding a DO! location, or 
requests information from their use of Foursquare their name, username, email address, 
location data, time of check in, photo, images, video, audio, content of messages, blogs 
or other information provided by the user may become available to DOI, and may be 
used to interact or provide the requested information or service. Also, there may be 
unusual cases where user interactions indicate evidence of criminal activity, a threat to 
the government, a threat to the public, or an employee violation of DOI policy. This 
information may include name, username, email address, location data, time of check in, 
photos, images, videos, audio, content of messages, blogs or postings, or other personal 
information provided by the user, and may be used to notify the appropriate agency 
Officials or law enforcement organizations. 


Provide specific examples of the types of uses to which PII may be subject. 


If a member of the public requests information or submits feedback through their use of 
Foursquare, their name, username, email address, location data, time of check in, photo, 
images, video, audio, content of messages, blogs or other information provided by the 
user may become available and used to provide the requested information. Also, there 
may be unusual cases where user interactions indicate evidence of criminal activity, a 
threat to the government or the public, or an employee violation of DOI policy. This 
information may include username, email address, location and time of check in, photo, 
images, videos, audio, content of messages or postings, and other information provided 
by the user, and may be used to notify the appropriate agency officials or law 
enforcement organizations. 


SECTION 4: Sharing or Disclosure of PII 


41 


With what entities or persons inside or outside the agency will the PII be shared, 
and for what purpose will the PII be disclosed? 


Foursquare is a third party social networking application used by millions of individuals 
and organizations world-wide, including Federal, Tribal, State and local agencies who 
may have access to the data posted in Foursquare. DOI does not collect PII or share PII 
with these other agencies and is not responsible for how they may access or use 
Foursquare data. However, there may be unusual cases where user interactions 
indicate evidence of criminal activity, a threat to the government, a threat to the public, or 
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an employee violation of DOI policy. These incidents may include name, username, 
email address, location data, time of check in, photos, images, videos, audio, content of 
messages, blogs or postings, or other information provided by the user, and may be 
used to notify the appropriate agency officials or law enforcement organizations. 


4.2 What safeguards will be in place to prevent uses beyond those authorized under 
law and described in this PIA? 


Official mission related information posted on Foursquare by DOI is reviewed and 
approved for public dissemination prior to posting so any privacy risks for the 
unauthorized disclosure of personal data by the Department is mitigated. However, 
except for official postings, DO! does not control the content or privacy policy on 
Foursquare. There could potentially be millions of Foursquare users who have access 
to information posted on Foursquare, including the general public, Federal employees, 
private organizations, and Federal, State, Tribal and local agencies. 


Foursquare requires users to provide a name, email address, city, and gender. 
Additional personal information is provided at the user's discretion. However, the 
provision of information and user consent applies only to terms of use for Foursquare. 
DOI has no control over access restrictions or procedures in Foursquare, or over 
personal information posted by individual Foursquare users. Foursquare is responsible 
for protecting its users’ privacy and the security of the data in the Foursquare 
application. Users are subject to Foursquare’s privacy policy and terms of use, and can 
set their own privacy settings to protect their personal information. 


SECTION 5: Maintenance and Retention of PII 
5.1 How will the agency maintain the PII, and for how long? 


Retention periods vary as records are maintained in accordance with the applicable 
records schedule for each specific type of record maintained by the Department. 
Records published through Foursquare represent public informational releases by the 
Department, and must be assessed on a case-by-case basis depending on the 
individual/entity releasing the information and the purpose of the release. There is no 
single records schedule that covers all informational releases to the public at this time. 


Comments and input from the public must be assessed by whether they contribute to 
decisions or actions made by the government. In such cases where input from the 
public serves a supporting role, the comments must be preserved as supporting 
documentation for the decision made. Approved methods for disposition of records 
include shredding, burning, tearing, and degaussing in accordance with National 
Archives and Records Administration guidelines and 384 Departmental Manual 1. 


5.2 Was the retention period established to minimize privacy risk? 
Retention periods may vary depending on agency requirements and the subject of the 


records for the DOI bureau or office maintaining the records. In cases where data 
serves to support agency business, it must be filed with the pertinent records they 
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support and follow the corresponding disposition instructions. Comments used as 
supporting documentation will utilize the disposition instructions of the records they are 
filed with. 


SECTION 6: How the Agency will Secure PII 


6.1 


6.2 


Will privacy and security officials coordinate to develop methods of securing PII? 


Yes. Privacy and security officials work with the Office of Communications to develop 
methods for protecting individual privacy and securing PII that becomes available to 
DOI. 


How will the agency secure PII? Describe how the agency will limit access to PII, 
and what security controls are in place to protect the PII. 


DOI does not collect, maintain or disseminate PII from Foursquare users. There may be 
unusual cases where user interactions indicate evidence of criminal activity, a threat to 
the government, a threat to the public, or an employee violation of DOI policy. This 
information may include name, username, email address, location data, time of check in, 
photos, images, videos, audio, content of messages, blogs or postings, or other 
information provided by the user, and may be used to notify the appropriate agency 
officials or law enforcement organizations. In these cases PII is secured in accordance 
with DOI Privacy Act regulations 43 CFR 2.51 and applicable DOI privacy and security 
policies. Access to the DOI network is restricted to authorized users with password 
authentication controls, the server is located in secured facilities behind restrictive 
firewalls, and access to databases and files is controlled by the system administrator 
and restricted to authorized personnel based on official need to know. Other security 
controls include continuously monitoring threats, rapid response to incidents, and 
mandatory employee security and privacy training. 


SECTION 7: Identification and Mitigation of Other Privacy Risks 


TA 


What other privacy risks exist, and how will the agency mitigate those risks? 


Foursquare is a private third party application that is independently operated. 
Foursquare controls access to user data within the system. Within Foursquare, users 
control access to their own PII, generally via system settings. DOI has the same access 
as any other Foursquare user dependent on individual user privacy settings. Except for 
official postings, DOI has no control over user content in Foursquare. However, due to 
the fact that Foursquare is owned and operated by a third party, DOI cannot prevent or 
ensure that users do not disclose PII on locations claimed by DOI. Foursquare users 
checking in at locations are at risk of sharing location data with the public. This risk is 
mitigated by individual Foursquare users who voluntarily accept Foursquare’s Terms of 
Service and Privacy Policy, and actively check in at various locations. 


DOI systems do not share data with the Foursquare application, and DOI is not involved 
in the sharing of data, especially PII. The Department does not collect PII from the use 
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7:2 


of Foursquare except in unusual circumstances where user interactions indicate 
evidence of criminal activity, a threat to the government or the public, or an employee 
violation of DOI policy. This information may include name, username, email address, 
location data, time of check in, photos, images, videos, audio, content of messages, 
blogs or postings, or other information provided by the user, and may be used to notify 
the appropriate agency officials or law enforcement organizations. 


Does the agency provide appropriate notice to individuals informing them of 
privacy risks associated with the use of third-party website or application? 


DOIl's Privacy Policy informs the public of how DOI handles personally identifiable 
information that becomes available through interaction on the DOI official website. The 
Privacy Policy also informs the public that DOI has no control over access restrictions or 
privacy procedures on third party applications, and that individuals are subject to third 
party social media application privacy and security policies, DOI's linking policy informs 
the public that they are subject to third party privacy policies when they leave a DOI 
official website to link to third party social media websites. 


The Department of the Interior has also posted a Privacy Notice on its official 
Foursquare page which informs users that Foursquare is a non-government third party 
application. It also informs users of how DOI handles personally identifiable information 
that becomes available through user interactions and checking in at DOI managed 
locations, and directs Foursquare users to the DOI Privacy Policy for information 
handling practices. 


SECTION 8: Creation or Modification of a System of Records 


8.1 


8.2 


Will the agency's activities create or modify a “system of records” under the 
Privacy Act of 1974? 


No. DOI does not collect, maintain or disseminate PII from its use of Foursquare. Any 
DO! bureau or office that creates a system of records from use of Foursquare will 
complete a separate PIA for that specific use and collection of information, and must 
maintain the records in accordance with DOI-08, Social Networks system of records 
notice, which may be viewed at http://www.doi.gov/ocio/privacy/DOI_notices.htm. 


Provide the name and identifier for the Privacy Act system of records. 


DO! does not actively collect, maintain or disseminate PII obtained from the use of 
Foursquare. Any DOI bureau or office that creates a system of records from use of 
Foursquare will complete a separate PIA for that specific use and must maintain the 
records in accordance with DOI-08, Social Networks system of records notice which may 
be viewed at http://www.doi.gov/ocio/privacy/DOI_notices.htm. 





